Method and system for detecting attacks in wireless data communications networks

US 8,369,830 B2
Filed: 12/30/2004
Issued: 02/05/2013
Est. Priority Date: 12/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method performed by an attack detector module for detecting attacks in a wireless data communications network which includes at least one trusted apparatus and a communications terminal that is assigned a dynamic network state corresponding to wireless traffic exchanges of the communications terminal, the method comprising:

acquiring a first trusted network state for the dynamic network state of the communications terminal;

acquiring trusted information via a trusted channel, wherein the trusted information is indicative of a communication between the communications terminal and the at least one trusted apparatus and the trusted channel is different from the wireless data communications network;

updating the first trusted network state to a second trusted network state for the dynamic network state of the communications terminal, wherein the second trusted network state is different from the first trusted network state and the updating is based on the trusted information;

monitoring, via a wireless traffic monitor, wireless traffic over the wireless data communications network;

deriving a non-trusted network state for the dynamic network state of the communications terminal from the monitored wireless traffic;

comparing the non-trusted network state with the second trusted network state; and

determining a wireless network attack in case of incoherence between the non-trusted network state and the second trusted network state.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting attacks in a wireless data communications network, includes: monitoring wireless traffic over the wireless data communications network; deriving a first network state from the monitored wireless traffic; acquiring trusted information indicative of a wireless network state from at least one apparatus of a network infrastructure; establishing a second network state based on the acquired trusted information; comparing the derived first network state with the second network state, and determining a wireless network attack in case of incoherence between the derived first network state compared to the second network state.

Citations

27 Claims

1. A method performed by an attack detector module for detecting attacks in a wireless data communications network which includes at least one trusted apparatus and a communications terminal that is assigned a dynamic network state corresponding to wireless traffic exchanges of the communications terminal, the method comprising:
- acquiring a first trusted network state for the dynamic network state of the communications terminal;
  
  acquiring trusted information via a trusted channel, wherein the trusted information is indicative of a communication between the communications terminal and the at least one trusted apparatus and the trusted channel is different from the wireless data communications network;
  
  updating the first trusted network state to a second trusted network state for the dynamic network state of the communications terminal, wherein the second trusted network state is different from the first trusted network state and the updating is based on the trusted information;
  
  monitoring, via a wireless traffic monitor, wireless traffic over the wireless data communications network;
  
  deriving a non-trusted network state for the dynamic network state of the communications terminal from the monitored wireless traffic;
  
  comparing the non-trusted network state with the second trusted network state; and
  
  determining a wireless network attack in case of incoherence between the non-trusted network state and the second trusted network state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 27)
- - 2. The method according to claim 1, wherein said at least one trusted apparatus comprises at least one access point of the wireless data communications network, the communications terminal is a mobile communications terminal, and said acquiring trusted information comprises acquiring trusted information about a current state of the mobile communications terminal from said at least one access point.
  - 3. The method according to claim 2, wherein the wireless data communications network is a network compliant with the IEEE 802.11 standard.
  - 4. The method according to claim 3, wherein said trusted information about a current state of the mobile communications terminal acquired from the at least one access point comprises one or more among a medium access control level identifier of the mobile communications terminal, a communications channel used by the mobile communications terminal, a service set identifier, a basic service set identifier, an association state of the mobile communications terminal, and an authentication type and state of the mobile communications terminal.
  - 5. The method according to claim 3, wherein said at least one trusted apparatus comprises at least one authentication server for authenticating the mobile communications terminal in accordance with an authentication protocol, and said acquiring trusted information comprises acquiring trusted information about a current state of the mobile communications terminal from the at least one authentication server.
  - 6. The method according to claim 5, wherein said authentication protocol complies with IEEE 802.11i standard.
  - 7. The method according to claim 6, wherein said trusted information about a current state of mobile communications terminal acquired from the at least one authentication server comprises one or more among information indicative of an authentication and key management protocol, information indicative of an extensible authentication protocol method negotiated between the mobile communications terminal and the authentication server and of parameters specific of the negotiated extensible authentication protocol method, information indicative of an authentication state of the mobile communications terminal, information indicative of a cyphersuite for cyphering, information indicative of a state of a handshake procedure between the mobile communications terminal and the authentication server.
  - 8. The method according to claim 5, wherein said deriving the non-trusted network state and updating the first trusted network state to a second trusted network state further comprises exploiting configuration information indicative of a configuration of the wireless data communications network.
  - 9. The method according to claim 8, wherein said configuration information comprises one or more among a list of access points of the wireless data communications network and address information thereof, a list of wireless data communications network channels, a list of communications protocols, a list of authentication servers and address information thereof, and a list of encryption and authentication methods.
  - 10. The method according to claim 5, wherein said monitoring wireless traffic comprises intercepting one or more among data frames, management frames, control frames, extensible authentication protocol and extensible authentication protocol over local area networks data frames.
  - 11. The method according to claim 1, further comprising issuing alerts in case said wireless network attack is determined.
  - 12. The method according to claim 1, wherein the trusted channel comprises a wired connection between the attack detector and the at least one trusted apparatus.
  - 27. A non-transitory computer readable medium encoded with a computer program directly loadable into a working memory of a data processing apparatus and comprising software code portions for implementing the method according to claim 1.

13. A system for detecting attacks in a wireless data communications network which includes at least one trusted apparatus and a communications terminal that is assigned a dynamic network state corresponding to wireless traffic exchanges of the communications terminal, the system comprising:
- a network monitor for acquiring a first trusted network state for the dynamic network state of the communications terminal, and further for acquiring trusted information via a trusted channel, wherein the trusted information is indicative of a communication between the communications terminal and the at least one trusted apparatus and the trusted channel is different from the wireless data communications network, and to update, based on the trusted information, the first trusted network state to a second trusted network state for the dynamic network state of the communications terminal, wherein the second trusted network state is different from the first trusted network state;
  
  a wireless traffic monitor for monitoring wireless traffic over the wireless data communications network and to derive a non-trusted network state for the dynamic network state of the communications terminal from the monitored wireless traffic; and
  
  an attack detector engine for comparing the non-trusted network state with the second trusted network state, and to determine a wireless network attack in case of incoherence between the non-trusted network state compared to the second trusted network state.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 14. The system according to claim 13, wherein said at least one trusted apparatus comprises at least one access point of the wireless data communications network, the communications terminal is a mobile communications terminal, and said information comprises information about a current state of the mobile communications terminal acquired from said at least one access point of the wireless data communications network.
  - 15. The system according to claim 14, wherein the wireless data communications network is a network compliant with the IEEE 802.11 standard.
  - 16. The system according to claim 15, wherein said trusted information about a current state of the mobile communications terminal acquired from the at least one access point comprises one or more among a medium access control level identifier of the mobile communications terminal, a communications channel used by the mobile communications terminal, a service set identifier, a basic service set identifier, an association state of the mobile communications terminal, and an authentication type and state of the mobile communications terminal.
  - 17. The system according to claim 15, wherein said at least one trusted apparatus comprises at least one authentication server for authenticating the mobile communications terminal in accordance with an authentication protocol, and said trusted information comprises trusted information about a current state of the mobile communications terminal acquired from the at least one authentication server.
  - 18. The system according to claim 17, wherein the wireless data communications network is further compliant with the IEEE 802.11i standard.
  - 19. The system according to claim 18, wherein said trusted information about a current state of the mobile communications terminal acquired from the at least one authentication server comprises one or more among information indicative of an authentication and key management protocol, information indicative of an extensible authentication protocol method negotiated between the mobile communications terminal and the authentication server and of parameters specific of the negotiated extensible authentication protocol method, information indicative of an authentication state of the mobile communications terminal, information indicative of a cyphersuite for cyphering, and information indicative of a state of a handshake procedure between the mobile communications terminal and the authentication server.
  - 20. The system according to claim 17, further comprising a database for storing said trusted information.
  - 21. The system according to claim 17, further comprising a configuration unit for storing configuration information indicative of a configuration of the wireless data communications network, said configuration information being exploited by the wireless traffic monitor for deriving the non-trusted network state, and by the network monitor for updating the first trusted network state to the second trusted network state.
  - 22. The system according to claim 21, wherein said configuration information comprises one or more among a list of access points of the wireless data communications network and address information thereof, a list of wireless data communications network channels, a list of communications protocols, a list of authentication servers and address information thereof, and a list of encryption and authentication methods.
  - 23. The system according to claim 17, wherein said wireless traffic monitor is configured to intercept one or more among data frames, management frames, control frames, extensible authentication protocol and extensible authentication protocol over local area networks data frames.
  - 24. The system according to claim 13, wherein the attack detector engine issues alerts in case said wireless network attack is determined.
  - 25. A wireless data communications network comprising the system for detecting attacks according to claim 13.
  - 26. The system according to claim 13, wherein the trusted channel comprises a wired connection between the attack detector and the at least one trusted apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Sperti, Luigi, Mollo, Maria Jos, Frosali, Federico, Freguglia, Giorgio
Primary Examiner(s)
Afshar, Kamran
Assistant Examiner(s)
ROD, YOUSEF R

Application Number

US11/794,249
Publication Number

US 20080043686A1
Time in Patent Office

2,959 Days
Field of Search

370/338, 455410-411, 455/418, 455/433, 713/201
US Class Current

455/410
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04W 12/121   Wireless intrusion detectio...

H04W 12/66   Trust-dependent, e.g. using...

H04W 24/00   Supervisory, monitoring or ...

Method and system for detecting attacks in wireless data communications networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting attacks in wireless data communications networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links